Pre-installed malware that signs mobile users up for subscription services without their permission has been discovered on thousands of low cost smartphones from the Chinese manufacturer Transsion.
The discovery was made by Upstream’s anti-fraud platform Secure-D whose researchers conducted a full investigation into the origin of the suspicious transactions detected by its platform.
Beginning in March of last year, the firm discovered and blocked an unusually large number of transactions originating from Transsion Tecno W3 handsets in Ethiopia, Cameroon, Egypt, Ghana and South Africa with additional fraudulent mobile transactions detected in another 14 countries.
To date, a total of 19.2m suspicious transactions, which would have secretly signed users up for subscription services without their permission, have been recorded from over 200k unique devices. Many of these blocked transactions were carried out by a family of apps called com.mufc whose source is unknown and cannot be downloaded from any Android app store.
Head of Secure-D at Upstream, Geoffrey Cleaves provided further insight on the current state of mobile ad fraud, saying:
“Mobile ad fraud is fast becoming an epidemic which, if left unchecked, will throttle mobile advertising, erode trust in operators and leave users saddled with higher bills. A unified approach is needed to raise awareness. This particular threat takes advantage of those most vulnerable. The fact that the malware arrives pre-installed on handsets that are bought in the millions by typically low-income households tells you everything you need to know about what the industry is currently up against.”
Pre-installed malware
In order to investigate the high number of suspicious transactions it observed, Secure-D acquired a selection of both newly purchased Tecno W2 mobile phones and devices from real users. The firm’s analysis was carried out using a combination of device models and firmware versions and the smartphones tested were connected to a variety of different network types.
Secure-D’s investigation confirmed that Transsion’s Tecno W2 devices came with Triada-related malware pre-installed. Triada is a popular malware that acts as a software backdoor and malware downloader. The malware uses top-level device privileges to execute arbitrary malicious code after receiving instructions from a remote command and control server before hiding its presence inside permanent system components to further avoid detection.
Once Secure-D connected the Tecno W2 devices it had acquired to the internet, the Triada malware downloaded a trojan called xHelper. The trojan persists across reboots, app removals and even factory resets which makes it extremely difficult to remove even for experienced professionals.
Secure-D also found that when xHelper components are exposed to the right environment such as a particular phone network, they made queries to find new subscription targets and submit fraudulent subscription requests on behalf of the phone’s unsuspecting owner. As these requests are automatic and invisible, they would have consumed user’s pre-paid airtime as this is the only way to make digital payments in many emerging markets.
Transsion may not even be to blame as a blog post from Google’s security team attributes Triada’s existence to the actions of a malicious supplier somewhere within the supply chain of affected devices.
TechRadar Pro has reached out to Transsion Holdings for a statement but the company has yet to respond at the time of writing.